Dave Wichers is a managing director for application security at Ernst & Young (www.ey.com). He was a cofounder of Aspect Security, a consulting company that specializes in application security services, that was acquired by EY in 2017. He is also a long time contributor to OWASP, helping to establish the OWASP Foundation in 2004, serving on the OWASP Board since it was formed from 2004 through 2013, served as OWASP Conferences Chair from 2005 through 2008, was a coauthor of the OWASP Top 10 since its inception until 2017 release candidate 1 and led the project from 2007 thru May 2017. Dave is also the lead of the new OWASP Benchmark project and has also contributed to numerous other important OWASP projects including WebGoat, ESAPI, ASVS, and the OWASP Cheat Sheet Series.
Dave has over 30 years of experience in the information security field, and has focused exclusively on application security since 1998. At EY, he provides a wide variety of application security consulting services to EY's clients. Prior to starting Aspect, he ran the Application Security Services Group at Exodus Communications. Dave has a Bachelors and Masters degree in Computer Science and is a CISSP.
I have been contributing to OWASP since 2002. In 2004, along with Jeff Williams, we established the 501c3 organization that is now the OWASP Foundation. Since establishing the OWASP Foundation, I served as the de facto Chief Financial Officer of OWASP, until the OWASP Board established an Executive Director in mid 2013. In late 2004, I volunteered to become the OWASP Conferences Chair where I launched the OWASP Conferences Series, personally organized all the U.S. and European AppSec conferences from 2005 through 2008, and helped launch the Global Conferences Committee in 2009, which organized the conferences from 2009 through 2012. The OWASP Conferences have since grown to serve as a primary revenue generating resource for OWASP.
As a volunteer to OWASP, Dave is or has been:
- A member of the OWASP Board since it was established in 2004 through the end of 2013,
- The OWASP Conferences Chair from 2005 through 2008,
- Project lead and coauthor of the OWASP Top 10 thru May 2017,
- Coauthor of the first version of the OWASP Application Security Verification Standard,
- Contributor to the OWASP Enterprise Security API (ESAPI) project,
- Past lead of the OWASP Prevention Cheat Sheet Series and primary author of the SQL Injection Prevention Cheat Sheet.
- Lead of the OWASP Benchmark project. Benchmark project intro video:
For more details than this short bio on what I've done at OWASP, listen to my OWASP podcast.
I've also done lots of OWASP conference presentations. Here are some of them:
- 2015 AppSec USA: Using the OWASP Benchmark to Assess Automated Vulnerability Analysis Tools
- 2014 AppSec AsiaPac: AppSec at DevOps Speed and Portfolio Scale talk abstract
- 2014 AppSec AsiaPac: OWASP Top 10 2013 talk abstract
- 2013 AppSec USA: OWASP Top 10 2013 talk abstract - Slides - Video
- 2013 AppSec EU: OWASP Top 10 2013 - Slides - Video
- 2012 AppSec USA: Unraveling some of the Mysteries around DOM-based XSS
- 2012 AppSec EU: Unraveling some of the Mysteries around DOM-based XSS
- 2012 AppSec DC: Unraveling some of the Mysteries around DOM-based XSS
- 2010 AppSec DC: Strengths of Combining Code Review with Application Penetration Testing - Video | Slides
- 2010 AppSec Europe: OWASP Top 10 for 2010 - Final - Video | PDF
- 2009 AppSec DC: Debut of the OWASP Top 10 for 2010 Release Candidate - Video | Slides
- 2009 Appsec Ireland: How to Avoid Flaws in the First Place: The OWASP ESAPI Project
- 2009 AppSec Europe: OWASP ASVS Project - Slides
- 2009 AppSec Europe: OWASP Enterprise Security API (ESAPI) Project - Video | Slides
- 2008 AppSec NY: Security in Agile Development - Video | Slides
- 2008 AppSec Europe: Fundamental Application Security Building Blocks - The Benefits of Establishing an Enterprise Security API (ESAPI) for Your Organization - Slides
- 2008 AppSec Europe: Agile Security - Breaking the Waterfall Mindset of the Security Industry - Slides
- 2007 AppSec Europe: OWASP WebGoat and WebScarab - WebGoat Slides | WebScarab Slides
- 2006 AppSec Seattle: Why AJAX Applications are far more likely to be insecure, and What to do about it - Slides
Dave can be reached at: dave.wichers (at) ey.com or dave.wichers (at) owasp.org